How can I run the stats command to generate a count and display the count and other fields by another field. i.e
How do i get a display like;
Src_ip dest_port Count
10.1.34.5 25 3
30 67
10.64.34.8 443 34
80 25
56 9
I already have the search that generates the events with these fields, I just want to generate the display to look this way.
Try something like this
your current search giving single value table with Src_ip dest_port and count | stats list(*) as * by Src_ip
Try something like this
your current search giving single value table with Src_ip dest_port and count | stats list(*) as * by Src_ip
I guess i have to replace * with the fields I want right? How do I fill in the multiple fields because it's reporting an error also.
Using the * alone doesn't return any value.
What is the search that you tried? The above one is assuming that you're already getting result in a table format with only the field Src_ip, dest_port, count. If that's not the case specify every field that you want to list, based on Src_ip.
...| stats list(dest_port) as dest_port list(count) as count by Src_ip
This display in the question didn't come out as well as I wanted it in the question above.
It is a table with columns Src Ip, dest_port and count. There is only one src_IP address for multiple dest_ports and count. I hope this explanation helps to visualize it.
Thanks,